The basics
ISO 27001 control A.8.13 Information backup requires companies to maintain and test backup copies of sensitive information. This is important because if data is lost and there is no backup copy, a company will not be able to recover this data.
Documentation
ISO 27001 control A.8.13 Information backup can be documented by writing:
- for smaller companies – through Security Procedures for IT Department
- mid-size and larger companies might have a separate Backup Policy
These documents are not mandatory but are recommended for companies according to their size.
Implementation
In order to comply with control A.8.13 Information backup you might implement the following:
- Technology — the technology to enable information backup in most cases will be already available in the company. Companies of all sizes will probably be able to back up the required information by manually copying data from their computers and mobile devices to backup servers, or by using backup services to automate which data from devices and servers will be copied to backup servers.
- Organization/processes — you should set up a process for determining which information to backup, how often, and how to test backup copies. You can document those processes through Security Procedures for IT Department or a Backup Policy.
- People — make employees aware of the importance of backing up information, and train the IT staff on how to perform backup and test backup copies.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.13 Information backup: if backup copies of information, software, and systems are maintained and tested according to the agreed backup policy.
